tshark packet data not displaying

I'm running into a weird problem with tshark. The scenario is I'm using ettercap on a Raspberry Pi to perform a man in the middle attack and look at all the traffic between two devices.

When I send messages with the Raspberry Pi to one of the devices, I can use the command

sudo tshark -Y "ip.src == 192.92.92.200" -T fields -e data

to print the hex contents of the packets I'm sending (where 192.92.92.200 is the address of the Pi). However, when I do the same with the address of one of the devices I'm ARP spoofing, no data is printed to the screen. However, whenever a packet is received, a blank line is printed to the screen. If I simply run

sudo tshark

all of the traffic in the network, including the packets being sent between the two devices I am ARP spoofing, are shown (though of course this command doesn't print the actual contents of the packets, which is what I'm looking for). So if tshark can see the packets being sent between the two devices, and if the contents of the packets can be printed in the case that it is sent from the Raspberry Pi, why can't I print the contents of the messages being sent from the devices I'm ARP spoofing?

Update with more details:

I tried adding more -e fields to see what would happen. When I ran the command

No, you can use that command to print the hex contents of any undissected data in those packets.

If Wireshark manages to dissect all the data in a packet as part of some protocol, rather than not knowing some protocol and having to treat that protocol's part of the packet as undissected (because undissectable) data, it will print nothing for the packet.

If you want all the hex data, you could try

sudo tshark -Y "ip.src == 192.92.92.200" -x

but you won't get one line per packet - you'll get a variable number of lines per packet, with each line having a hex offset in the packet data followed by 16 bytes of hex data and 16 characters worth of ASCII data (the last line may have fewer than 16 bytes of data).

Note, by the way, that:

1) to quote the doc/README.packaging file in the Wireshark source:

WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN
THEM AS ROOT.

All of the lines of code that involve packet dissection, which is the majority of the lines of code in Wireshark, are also in TShark, so the same warning applies to it.

You probably want to make sure that the dumpcap program (which is what Wireshark and TShark run to capture traffic) was installed to run with elevated privileges (on Linux, either with capture privileges or set-UID privileges), and NOT run TShark as root.

2) You can also use the command

tshark -x src host 192.92.92.200

for the same purpose, and not have TShark even have to see packets not from 192.92.92.200.

Also, if I open up Wireshark instead of tshark, I can see the contents of the data packets.

If you open up Wireshark, you will probably see the entire hex contents of the packet in the "hex dump" pane of the display; that's what tshark -x prints.

You will probably not see very many places in the packet detail pane where it says just "Data"; those are what the data field corresponds to.

Comments

Is there anyway to make tshark not dissect that data? I don't understand why it would allow me to see that data when it can't identify the protocol and prevent me from seeing it when it does recognize the protocol.

Also, in Wireshark the data is printed in the data field, not just in the hex dump pane.